Site Mobile Navigation

Security Firm Sees Global Cyberspying

SHANGHAI — An American cybersecurity company issued a report on Wednesday saying that it had identified a single perpetrator of cyberattacks that lasted up to five years on a wide range of governments, American corporations and even United Nations groups, and that the pattern of targets suggested the attacker was a “state actor.”

However, as with a number of other alarming recent reports on computer spying, the study offered few details that would allow independent verification, and it was difficult to immediately assess the damage done. It did not identify the location of the attacking computer system, say what kinds of documents or information were stolen, or offer any direct evidence of a state’s involvement.

The company, McAfee, said it had identified 72 targets — 49 of them American, including 14 federal, state and county agencies and 11 defense contractors — and also informed law enforcement agencies, which it said were investigating.

The White House referred questions to the Department of Homeland Security. At a news conference on other matters, that department’s secretary, Janet Napolitano, said: “We became aware of the McAfee report, I think, today, which is when it was released to the press, as well. We obviously will evaluate it, look at it and pursue what needs to be pursued in terms of its contents.”

One of the few named organizations, the World Anti-Doping Agency, cast doubt on the report’s assertion that the agency had been subject to a 14-month attack that began in August 2009. In a statement, the director general, David Howman, acknowledged that the agency had experienced an e-mail breach in February 2008, but that “at this stage, W.A.D.A. has no evidence from its security experts of the intrusions as listed by McAfee and the agency has yet to be convinced that they took place.”

McAfee, which was recently acquired by Intel, said it released the report to coincide with the start on Wednesday of the annual Black Hat technical security conference in Las Vegas. Briefings were scheduled to be delivered at the conference. Details of the study were first published on the Web site of Vanity Fair.

Asked why McAfee decided not to identify most of the corporations that were targets in the attacks, the company said that the corporations were worried about being identified and alarming shareholders or customers.

Cybersecurity is now a major international concern, with hackers gaining access to sensitive corporate and military secrets, including intellectual property. The report comes after high-profile computer network attacks aimed at the International Monetary Fund, Sony and the Lockheed Martin Corporation, America’s largest military contractor.

Concern over attacks being carried out by nation-states is rising sharply, particularly after Google said last year that Chinese hackers stole some of the company’s source code. Many security experts say the Chinese government has built up a sophisticated cyberwarfare unit and that the government might be partnering with professional hackers. But the list of entities, government or private, suspected of hacking campaigns, is a long one.

Jeff Moss, an Internet security expert who founded the Black Hat Conference, said it would be hard to narrow down the suspects in a broad campaign. “China is a pretty convenient punching bag,” he said.

The company’s 14-page report, written by Dmitri Alperovitch, McAfee’s vice president for threat research, traced the attacks to at least 2006 and said they peaked in 2009. It calls the attacks highly sophisticated and said targets included governments, companies, and organizations in Canada, Japan, South Korea, Taiwan, Switzerland and Britain.

“After painstaking analysis of the logs, even we were surprised by the enormous diversity of the victim organizations and were taken aback by the audacity of the perpetrators,” the report said.

McAfee said it identified a single perpetrator in March, when it discovered detailed logs of attacks while reviewing the contents of a server it had discovered in 2009 as part of an investigation into security breaches at defense companies. Joris Evers, a spokesman for McAfee, said the server was in a Western country but that he could not be more specific.

An error has occurred. Please try again later.

You are already subscribed to this email.

McAfee called the attacks Operation Shady RAT — RAT stands for remote access tool, a type of software used to control networked computers.

The duration of the attacks ranged from a month to what McAfee said was a sustained 28-month attack against an Olympic committee of an unidentified Asian nation.

What was done with the data “is still largely an open question,” Mr. Alperovitch wrote in the report. “However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team’s playbook), the loss represents a massive economic threat.”

Mr. Moss said subjects of attacks should be more forthcoming. “Companies do the public a disservice by not revealing when these things happen,” he said.

In mid-May, the Obama administration proposed creating international computer security standards with penalties for countries and organizations that fell short. The strategy calls for officials from the State Department, the Pentagon, the Justice Department, the Commerce Department and the Department of Homeland Security to work with their counterparts around the world to come up with international standards.

Obama administration officials said privately at the time that the hope was that the initiative would prod China and Russia into allowing more Internet freedom, cracking down on intellectual property theft and enacting stricter laws to protect computer users’ privacy.

In February, a Canadian federal cabinet minister said hackers, perhaps from China, had compromised computers in two Canadian government departments in early January, leaving bureaucrats with little or no Internet access for nearly two months. The minister, Stockwell B. Day Jr., the president of the Treasury Board, called the attack a “significant one” that went after financial records.

Also in February, McAfee released a report saying that at least five multinational oil and gas companies had suffered computer network attacks by a group of hackers based in China. Beijing has strongly denied any role in computer network attacks, and insisted it has been a frequent victim of such attacks itself.

On Wednesday, China’s Foreign Ministry did not respond to requests for comment about the latest McAfee report.

But last month, at a regularly scheduled news conference in Beijing, the Foreign Ministry spokesman, Hong Lei, said, “The Chinese government opposes hacking in all its manifestations.”

He added: “Hacking is an international issue, with which China also falls victim. China is willing to conduct international cooperation in this regard. We are dissatisfied with some people’s irresponsible remarks that link hacker attacks with the Chinese government.”

David Barboza reported from Shanghai, and Kevin Drew from Hong Kong. John Markoff contributed reporting from San Francisco and Somini Sengupta from Las Vegas.

A version of this article appears in print on August 4, 2011, on Page A11 of the New York edition with the headline: Security Firm Sees Global Cyberspying. Order Reprints|Today's Paper|Subscribe